From: Heiko Schocher <hs@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] common, image-sig: [BUG?] if no valid signature node found, do not boot signed FIT image
Date: Fri, 9 Jun 2017 06:52:41 +0200 [thread overview]
Message-ID: <593A2999.90406@denx.de> (raw)
In-Reply-To: <CAPnjgZ2hyZP8SaLkunjO6rzZqvY8H7M_q2Y40b3VMRr5Zimizw@mail.gmail.com>
Hello Simon,
Am 09.06.2017 um 05:05 schrieb Simon Glass:
> Hi Heiko,
>
> On 8 June 2017 at 03:52, Heiko Schocher <hs@denx.de> wrote:
>> fit_image_verify_required_sigs() must return != 0, on error.
>>
>> When fit_image_verify_required_sigs() does not find a signature
>> node, it returns 0, which leads in booting a signed FIT image.
>>
>> Fix this!
>>
>> Signed-off-by: Heiko Schocher <hs@denx.de>
>> ---
>>
>> Found on an imx28 based board, with key dtb appended to u-boot.bin.
>>
>> Booting signed FIT image without an valid key dtb appended to u-boot.bin
>> shows:
[...]
>> common/image-sig.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/common/image-sig.c b/common/image-sig.c
>> index 455f2b9..646fb08 100644
>> --- a/common/image-sig.c
>> +++ b/common/image-sig.c
>> @@ -265,7 +265,7 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
>> if (sig_node < 0) {
>> debug("%s: No signature node found: %s\n", __func__,
>> fdt_strerror(sig_node));
>> - return 0;
>> + return 1;
>
> Thanks for finding/fixing this! I suggest returning -EPERM.
Ok, changed.
> Also note that using image-based security is somewhat insecure since
> people can mix and match them. Configuration signing is preferred if
> you can do it.
I do this, here my configurations node from the its file:
configurations {
default = "conf at 1";
conf at 1 {
description = "board config 1";
kernel = "kernel at 1";
fdt = "fdt at 1";
ramdisk = "ramdisk at 1";
signature at 1 {
algo = "sha256,rsa4096";
key-name-hint = "dev";
};
};
};
> As Tom said, can you add a test please?
Hmm... tried with current U-Boot, the steps described in
test/image/test-fit.py
# make O=sandbox sandbox_config
# make O=sandbox
# ./test/image/test-fit.py -u sandbox/u-boot
and get:
pollux:u-boot hs [master] $ ./test/image/test-fit.py -u sandbox/u-boot
FIT Tests
=========
Warning (unit_address_vs_reg): Node /reset at 0 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/kernel at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/kernel at 2 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/fdt at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/fdt at 1/signature at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/ramdisk at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/ramdisk at 2 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /configurations/conf at 1 has a unit name, but no reg property
Kernel load
U-Boot 2017.07-rc1-00997-gad701b1 (Jun 09 2017 - 06:18:46 +0200)
DRAM: 128 MiB
MMC:
Using default environment
In: serial
Out: serial
Err: serial
SCSI: Net: No ethernet found.
IDE: Bus 0: not available
18474 bytes read in 0 ms
## Loading kernel from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel at 1' kernel subimage
Description: unavailable
Created: 2017-06-09 4:19:13 UTC
Type: Kernel Image
Compression: uncompressed
Data Start: 0x000010c8
Data Size: 3491 Bytes = 3.4 KiB
Architecture: Sandbox
OS: Linux
Load Address: 0x00040000
Entry Point: 0x00000008
Verifying Hash Integrity ... OK
## Loading fdt from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Trying 'fdt at 1' fdt subimage
Description: snow
Created: 2017-06-09 4:19:13 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x00002d30
Data Size: 193 Bytes = 193 Bytes
Architecture: Sandbox
Sign algo: sha1,rsa2048:dev
Sign value: unavailable
Timestamp: unavailable
Verifying Hash Integrity ... sha1,rsa2048:dev- OK
Booting using the fdt blob at 0x002d30
Loading Kernel Image ... OK
3491 bytes written in 0 ms
193 bytes written in 0 ms
4591 bytes written in 0 ms
3491 bytes written in 0 ms
4591 bytes written in 0 ms
Expected '%s' but not found in output:
U-Boot 2017.07-rc1-00997-gad701b1 (Jun 09 2017 - 06:18:46 +0200)
DRAM: 128 MiB
MMC:
Using default environment
In: serial
Out: serial
Err: serial
SCSI: Net: No ethernet found.
IDE: Bus 0: not available
18474 bytes read in 0 ms
## Loading kernel from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel at 1' kernel subimage
Description: unavailable
Created: 2017-06-09 4:19:13 UTC
Type: Kernel Image
Compression: uncompressed
Data Start: 0x000010c8
Data Size: 3491 Bytes = 3.4 KiB
Architecture: Sandbox
OS: Linux
Load Address: 0x00040000
Entry Point: 0x00000008
Verifying Hash Integrity ... OK
## Loading fdt from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Trying 'fdt at 1' fdt subimage
Description: snow
Created: 2017-06-09 4:19:13 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x00002d30
Data Size: 193 Bytes = 193 Bytes
Architecture: Sandbox
Sign algo: sha1,rsa2048:dev
Sign value: unavailable
Timestamp: unavailable
Verifying Hash Integrity ... sha1,rsa2048:dev- OK
Booting using the fdt blob at 0x002d30
Loading Kernel Image ... OK
3491 bytes written in 0 ms
193 bytes written in 0 ms
4591 bytes written in 0 ms
3491 bytes written in 0 ms
4591 bytes written in 0 ms
Traceback (most recent call last):
File "./test/image/test-fit.py", line 481, in <module>
run_tests()
File "./test/image/test-fit.py", line 470, in run_tests
run_fit_test(mkimage, options.u_boot)
File "./test/image/test-fit.py", line 395, in run_fit_test
line = find_matching(stdout, 'Booting using the FDT blob at ')
File "./test/image/test-fit.py", line 286, in find_matching
raise ValueError('Test aborted')
ValueError: Test aborted
:-(
With my patch:
pollux:u-boot hs [master] $ git diff
diff --git a/common/image-sig.c b/common/image-sig.c
index 455f2b9..e5ba85a 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -265,7 +265,7 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
if (sig_node < 0) {
debug("%s: No signature node found: %s\n", __func__,
fdt_strerror(sig_node));
- return 0;
+ return -EPERM;
}
fdt_for_each_subnode(noffset, sig_blob, sig_node) {
pollux:u-boot hs [master] $ ./test/image/test-fit.py -u sandbox/u-boot
FIT Tests
=========
Warning (unit_address_vs_reg): Node /reset at 0 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/kernel at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/kernel at 2 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/fdt at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/fdt at 1/signature at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/ramdisk at 1 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /images/ramdisk at 2 has a unit name, but no reg property
Warning (unit_address_vs_reg): Node /configurations/conf at 1 has a unit name, but no reg property
Kernel load
U-Boot 2017.07-rc1-00997-gad701b1-dirty (Jun 09 2017 - 06:21:36 +0200)
DRAM: 128 MiB
MMC:
Using default environment
In: serial
Out: serial
Err: serial
SCSI: Net: No ethernet found.
IDE: Bus 0: not available
18474 bytes read in 1 ms (17.6 MiB/s)
## Loading kernel from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel at 1' kernel subimage
Description: unavailable
Created: 2017-06-09 4:22:07 UTC
Type: Kernel Image
Compression: uncompressed
Data Start: 0x000010c8
Data Size: 3491 Bytes = 3.4 KiB
Architecture: Sandbox
OS: Linux
Load Address: 0x00040000
Entry Point: 0x00000008
Verifying Hash Integrity ... error!
Unable to verify required signature for '' hash node in 'kernel at 1' image node
Bad Data Hash
ERROR: can't get kernel image!
XIP Invalid Image ... OK
3491 bytes written in 0 ms
193 bytes written in 0 ms
4591 bytes written in 0 ms
3491 bytes written in 0 ms
4591 bytes written in 0 ms
U-Boot 2017.07-rc1-00997-gad701b1-dirty (Jun 09 2017 - 06:21:36 +0200)
DRAM: 128 MiB
MMC:
Using default environment
In: serial
Out: serial
Err: serial
SCSI: Net: No ethernet found.
IDE: Bus 0: not available
18474 bytes read in 1 ms (17.6 MiB/s)
## Loading kernel from FIT Image at 00001000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel at 1' kernel subimage
Description: unavailable
Created: 2017-06-09 4:22:07 UTC
Type: Kernel Image
Compression: uncompressed
Data Start: 0x000010c8
Data Size: 3491 Bytes = 3.4 KiB
Architecture: Sandbox
OS: Linux
Load Address: 0x00040000
Entry Point: 0x00000008
Verifying Hash Integrity ... error!
Unable to verify required signature for '' hash node in 'kernel@1' image node
Bad Data Hash
ERROR: can't get kernel image!
XIP Invalid Image ... OK
3491 bytes written in 0 ms
193 bytes written in 0 ms
4591 bytes written in 0 ms
3491 bytes written in 0 ms
4591 bytes written in 0 ms
Traceback (most recent call last):
File "./test/image/test-fit.py", line 481, in <module>
run_tests()
File "./test/image/test-fit.py", line 470, in run_tests
run_fit_test(mkimage, options.u_boot)
File "./test/image/test-fit.py", line 388, in run_fit_test
fail('Kernel not loaded', stdout)
File "./test/image/test-fit.py", line 306, in fail
raise ValueError("Test '%s' failed: %s" % (test_name, msg))
ValueError: Test 'Kernel load' failed: Kernel not loaded
pollux:u-boot hs [master] $
Can you verify this?
Thanks!
bye,
Heiko
>
>> }
>>
>> fdt_for_each_subnode(noffset, sig_blob, sig_node) {
>> --
>> 2.7.4
>>
>
> Regards,
> Simon
>
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
next prev parent reply other threads:[~2017-06-09 4:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-08 9:52 [U-Boot] [PATCH] common, image-sig: [BUG?] if no valid signature node found, do not boot signed FIT image Heiko Schocher
2017-06-09 1:06 ` Tom Rini
2017-06-09 3:05 ` Simon Glass
2017-06-09 4:52 ` Heiko Schocher [this message]
2017-08-04 22:20 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=593A2999.90406@denx.de \
--to=hs@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox